Thursday, December 29, 2011

Since I finally have access to a retail PS VITA, today I started with some basic tests.

After a complete freeze of the system within the first 5 minutes after unboxing (*always happens to new consoles 4 me rofl*), I went on and noticed that there is a problem with the VITA's encryption functions and was able to decrypt some test files directly via the system.

Friday, December 16, 2011

The PKG's I used for my testings were pretty old and the key update was expected.
Nevertheless it's a bit disappointing but a new nice challange :)

The PS3 can decrypt the new packages on firmware 4.00 which contains the new PS VITA PKG AES key for the PS3 <--> PS VITA content exchange feature. This means we can decrypt and get the content of the PS VITA PKG files via a 4.00 PS3. Sadly there's no solution to re-encrypt it again, yet.

Wednesday, December 14, 2011

Due the law suites against a PS3 researchers I write this little how-to. It is based on my personal experience under european law. Don't expect this to be a doctor exam like text, just a little guideline how to not fully destroy your life :)

HOW-TO: 10 Not get fu*ked 4 life by Billion-$-Company-X

*replace x with rich company of your choice

1. Self control !

Do not lose your self control, this is the most important thing.

2. Encrypt all your data with up to date encryption tools like TrueCrypt

The court can arrange to take your hardware into custody and check all data on it. If it is encrypted you can be sure they will not get anything against you here. You can not be forced

to disclose your private password to decrypt it! The problem is, you might not get it back if it's encrypted. You decide if it's worth it. As well the court can account a sum X per item to be checked. This might become expensive, so expect that you can not get all back without investing a huge sum.

3. Never publish, share or distribute copyrighted code in any way, this might break your neck

Publishing, sharing or redistributing copyrighted data is illegal. Don't do it! Once you did, it's hard to proof anything else. If possible, remove all files or data which you published. This may be an advantage and good for you in front of court.

4. Do not agree personal meetings with Billion-$-Company-X

The company might invite you to a private personal discussion. Under any circumstances - do not go there if you don't feel 100% prepared. You will be confronted with 1-3 of highly skilled lawyers if you decide to join their meeting. Usually their lawyers have a very good experience in human psychology and will get you to sign contracts which they can use against you sooner or later. An example would be that this contract includes that you are responsible for ALL further damage which MIGHT be caused through your data you may have published. This damage has a trivial worth and can raise up to multiple hundred thousand euros. If the company has anything reliable proof against you, they arrange a court meeting, not a personal one. Remember you can not be forced to agree a private meeting. It can cause a lot more trouble than you expect.

5. Keep all communication text-based or via lawyer

Any phone or personal communication can be used against you. Text-communication is easier to overview and you can let it be checked by your lawyer or person of trust.

6. Get an attorney of law and NOT the cheapest backyard lawyer

Be sure your lawyer (if you choose to take one) has great experience in IT law. Every lawyer will say "YEAH SURE" if you need one, but just because they are interested in your money and not your behavior. Use Google or ask at your local government for a decent attorney of law.

If they company insist on a contract, let your lawyer setup it.

7. If you do not have millions on your bank account, say sorry and give up

Do not be too optimistic and think you could win against a Billion-$-Company-X. There is a difference between "be in right" and "get right". In 99,9% of the cases, the party with more money will win even if you acted 100% legal. They can spend limitless resources to make your life worse. A court case can take several years and in those years you have to pay your lawyer and more. Do you have the money to do this? No? Then accept that you are fu*ked and contact the company. If it is not too late, make a clear statement that you will not continue your work which belongs to the case. Say sorry and distance yourself from anything relating.

8. Hope for an out-of-court agreement

As mentioned in point 7, a long and time consuming court case costs money. Probably more than you have. Follow point 7 as fast as you can, so you are aware if the company is OK with your apologize. If you are lucky, you are out of the deepest sh*t.

9. In front of court

If it comes to a confrontation in front of court, you are warned weeks in advance. Make notes, let your lawyer research all possible ways to defend you. Most courts are not aware of up to date IT law, as the most laws were formed in analog times, so the Billion-$-Company-X will try as hard as they can to proof that what you did was wrong, even if it is actually legal. Don't let them provoke you. Shut up and let your lawyer do the work, except the court asks you. If possible, "no comment". No comment == you can't make anything worse.

10. Don't fight with dragons

As said before, if you do not have unlimited money or some atomic bombs behind you do not fight against dragons. You can not win. The world is ruled by money and the ones with the most will always get their will. Do not think you can change this, even if it sounds a bit sad it has to be said.

Since I experienced many of such cases myself, I know best how you feel if it happens. If you need assistance, do not hesitate to e-mail me. If you find any huge mistakes or think I have forgotten something important, let me know.

To use it, simply choose the root folder of a PS VITA game. Then check the style in the upper right of the program which it is ment to be displayed with and choose the correct tab. All else is self-explaining.

Tuesday, April 26, 2011

The PSN is down, all accounts got dumped by an anonymous hacker and the community is cryin' for answers. 77 million accounts with password and sometimes CC info are worth a lot in several hack chans. This is a very huge case.

Now SONY engaged an external security company to discover the holes in SONY's system and find answers. As I was wondering if there may be some information about the actual case we can find out publically, I researched a bit myself.

One interesting point I found is a not secured access log of a PSN environment.You will quickly notice the IP 214.1.211.251, which sends requests like a vulnerability scanner.The IP points to the DoD Network Information Center, based in Ohio USA.

The first log entry of this IP is [03/Mar/2011:07:10:38 -0800]. As the DoD is knows as beeing easy to hack, the anonymous hacker could have used this as proxy.

Maybe SONY might want to take a look at this IP, I hope soon we get some news and details about the case...